Skip to content

crypto/tls: incompatibility with Trust Settings in CA certificate #31881

New issue
New issue
Open
Open
crypto/tls: incompatibility with Trust Settings in CA certificate#31881
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned
@kruftik

Description

@kruftik
kruftik
opened on May 7, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

golang:latest @ docker

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build114266566=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Standard crypto/tls library is incompatible with CA certificates (either root or intermediate one) when they contain Trust Settings (https://www.openssl.org/docs/manmaster/man1/x509.html#TRUST_SETTINGS):

$ openssl -in rootCA.crt -text -noout
...
No Trusted Uses.
No Rejected Uses.
Alias: XXX
...

Since widely used MS AD-based CAs DO have such Settings in their certs, it is hard to use encrypted connections in golang programms in such environments.

What did you expect to see?

The successfull TLS-handshake.

What did you see instead?

In our case server's cert is issued by intermediate CA which is issued by root CA and server.crt contains server's cert followed by the intermediate CA's one.

In the case when the Trust Settings are present in the intermediate's cert, tls-negotiation fails with the following errors:
client.go:40: tls: failed to parse certificate from server: asn1: syntax error: trailing data
server.go:55: remote error: tls: bad certificate

If only the root's cert contains the Settings, the errors are slightly different:
client.go:40: x509: certificate signed by unknown authority
server.go:55: remote error: tls: bad certificate

(Example client&server apps are available at https://github.com/kruftik/go-tls-vs-windows-ad-ca, build.sh prepares binaries)

Once the Settings are being stripped from both root and intermedia CA certs with the openssl x509 -in rootCA.crt -out rootCA.clean.crt command, the problem is going away.

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions